Path: csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!feeder.erje.net!1.eu.feeder.erje.net!newsfeed.xs4all.nl!newsfeed2a.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail
Return-Path: <grantcmurphy@gmail.com>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
X-Spam-Status: OK 0.029
X-Spam-Evidence: '*H*': 0.94; '*S*': 0.00; 'pypi': 0.07; 'subject:PEP': 0.07; 'dependency': 0.09; 'subject:PyPI': 0.09; 'url:github': 0.09; 'python': 0.11; 'pulling': 0.16; 'reasonably': 0.16; 'suggestion.': 0.16; 'trying': 0.19; 'seems': 0.21; 'cc:addr:gmail.com': 0.22; 'community.': 0.22; 'cc:2**1': 0.23; 'message-id:@mail.gmail.com': 0.30; "i'd": 0.34; 'could': 0.34; 'something': 0.35; 'received:google.com': 0.35; 'there': 0.35; 'version': 0.36; 'hi,': 0.36; 'feedback': 0.38; 'to:addr:python- list': 0.38; 'track': 0.38; 'ability': 0.39; 'does': 0.39; 'to:addr:python.org': 0.39; 'release': 0.40; 'how': 0.40; 'extended': 0.61; 'information': 0.63; 'forward': 0.65; 'management': 0.65; 'within': 0.65; 'worth': 0.66; 'capability': 0.84
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:cc:content-type; bh=rRqpT4PvSXiRX9rEGgusnj3P7b/7SbgeFrMVB/4ksa4=; b=F02a3C+eVQa8KiSOndJpN6TU5CcjJ7zO/swHRBmqY9y2s4evof9fVsM3hBo2TCwbY1 dxK7wvtKs+8TtMhZs8cQH8sA673xJgs5fV7TEgheBRM8bsh+znTMgs1DR0WTz8LrRgYA Ro52n7OHUKR2kb4j2F8XNHRDbMrbYfQ9s+SzEVmSnhQsyuxPfu6wh/D17C5844qrOBSf tR6dzyKIYqNMFqSS7x9w46vVw25ZxD9SHrVlPIJZnEE4mXoeUpV5S1/AgwC0Le3n4i+1 Q+9Iz7bxyzXtWygDTnXF0rXXEa6TnHT+GBoACJsEL03kH9Y1kC5HFKjAvnAxzHMzzxF2 UotA==
MIME-Version: 1.0
X-Received: by 10.140.96.202 with SMTP id k68mr21861285qge.102.1431459995564; Tue, 12 May 2015 12:46:35 -0700 (PDT)
Date: Tue, 12 May 2015 12:46:35 -0700
Subject: Suggestion: PEP for tracking vulnerable packages within PyPI
From: Grant Murphy <grantcmurphy@gmail.com>
To: python-list@python.org
Cc: Arun Babu Neelicattu <arun.neelicattu@gmail.com>, David Jorm <david.jorm@gmail.com>
Content-Type: text/plain; charset=UTF-8
X-Mailman-Approved-At: Tue, 12 May 2015 22:23:09 +0200
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.20+
Precedence: list
List-Id: General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe: <https://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <http://mail.python.org/pipermail/python-list/>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <https://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups: comp.lang.python
Message-ID: <mailman.414.1431462191.12865.python-list@python.org>
Lines: 21
NNTP-Posting-Host: 2001:888:2000:d::a6
X-Trace: 1431462191 news.xs4all.nl 2926 [2001:888:2000:d::a6]:44599
X-Complaints-To: abuse@xs4all.nl
Xref: csiph.com comp.lang.python:90490

Hi,

When pulling in a dependency via pip it is currently difficult to reason about
whether there are any vulnerabilities associated with the package version you
are using. I think the Python package management infrastructure could be
extended to facilitate this capability reasonably easily. PyPI already
contains a lot of metadata around package owners and releases available.
Adding the ability to flag a release as having a vulnerability and CVE
associated with it seems like a reasonable addition to me.

Currently there are some projects that are trying to track this information [1],
however by including this type of information as a part of the main Python
infrastructure I think it would encourage better vulnerability management
practices within the community.

I'd like some feedback on how to move forward with this suggestion. Does
this seem like something that could be worth turning into a PEP?

1. https://github.com/victims/victims-cve-db

- Grant